About computer security

Regarding this latest ransomeware attack, I’ve seen various responses online. Here are my thoughts.

First, the origin of the problem is the NSA-discovered vulnerability in Windows, apparently in versions ranging from XP to 10, which is weird in itself considering the differences introduced first in Vista, and then in 8. This makes it unlikely that Microsoft didn’t know about it; it looks like something that was deliberately left open, as a standard back door for NSA. Either that, or it means that they managed not to find a glaring vulnerability since 2001, which makes them incompetent. Having in mind that other platforms had similar issues, it wouldn’t be unheard of, but I will make my skepticism obvious – long-term-undiscovered glaring flaws indicate either intent or incredible levels of negligence.

The immediate manifestation of the problem, the WannaCry ransomeware worm, is a sophisticated product of the most dangerous kind, the one that apparently doesn’t require you to click on stupid shit in order to be infected. The malware sniffs your IP, detects vulnerabilities and, if found, executes code on your machine. The requirement for you to be infected is a poorly configured firewall, or an infected machine behind your firewall, combined with existence of vulnerable systems. The malware encrypts the victim’s files, sends the decryption key to the hackers, deletes it from the local machine and posts a ransom notice requiring bitcoin payment on the afflicted machine. It is my opinion that the obvious explanation (of it being a money-motivated hacker attack) is implausible. The reason for this is the low probability of actually collecting any money, combined with the type of attack. A more probable explanation is that this is a test, by a nation-state actor, checking out the NSA exploit that had been published by Wikileaks. The possible purpose of this test is most likely forcing the vulnerable machines out in the open so that they can be patched and the vulnerability permanently removed, or, alternatively, assessing the impact and response in case of a real attack. It is also a good way of permanently removing the NSA-installed malware from circulation by permanently disabling the vulnerable machines by encrypting their filesystem and thus forcing a hard-drive format. Essentially, it sterilizes the world against all NSA-installed malware using this exploit, and it is much more effective than trying to advertise patches and antivirus software, since people who are vulnerable are basically too lazy to upgrade from Windows XP, let alone install patches.

As for the future, an obvious conclusion would be that this is not the only vulnerability in existence, and that our systems remain vulnerable to other, undiscovered attack vectors. What are the solutions? Some recommend to install Linux or buy a Mac, forgetting the heartbleed bug in the OpenSSL, which was as bad if not worse. All Linux and Mac machines were vulnerable. Considering how long it took Apple to do anything, and how long it remained undetected, I remain skeptical regarding the security of either platform. They are less common than Windows, which makes them a less tempting target, but having in mind that this is the exact reason why potential targets of state-actor surveillance would use them, it actually makes them more of a target, not by individual hackers, but by potentially much more dangerous people. The fact that hacker-attacks on Linux and Mac OS are not taken seriously, the protective measures are usually weak and reliant on the assumed inherent security of the UNIX-based operating systems. When reality doesn’t match the assumptions, as in case of the heartbleed bug, there are usually no additional layers of protection to catch the exceptions. Furthermore, one cannot exclude a low-level vulnerability installed in the device’s firmware, since firmwares are proprietary and even less open to inspection than the operating systems themselves.

My recommendation, therefore, would be to assume that your system is at any point vulnerable to unauthorized access by state actors, regardless of your device type or protective measures. It is useful to implement a layered defense against non-state actors: a hardware firewall on the router, a software firewall on the device, limit the amount of things shared on the network to a minimum, close all open ports except those that you actively need, and protect those as if they were a commercial payment system; for instance, don’t allow password authentication on SSH, and instead use RSA certificates. Use encryption on all network communications. Always use the newest OS version with all the updates installed. Use an antivirus to check everything that arrives on your computer. Assume that the antivirus won’t catch zero-day exploits, which is the really dangerous stuff. Don’t click on stupid shit, don’t visit sites with hacking or porn-related content, unless you’re doing it from a specially protected device or a virtual machine. Have a Linux virtual machine as a sandbox for testing potentially harmful stuff, so that it can’t damage your main device. Don’t do stupid shit from a device that’s connected to your private network, so that the attack can’t spread to other connected devices. Don’t assume you’re safe because you use an obscure operating system. Obscure operating systems can use very widespread components, such as the OpenSSL, and if those are vulnerable, your obscurity is far less than you assume. However: a combination of several layers might be a sufficient shield. For instance, if your router shields you from one attack vector, firewall and antivirus on your Windows host machine shields you from another attack vector (for instance UNIX-related exploits), Linux architecture on your virtual machine shields you from the rest (the Windows-related exploits), and your common sense does the rest, you are highly unlikely to be a victim of a conventional hacker attack. However, don’t delude yourself, the state actors, especially the NSA, have access to your system on a far deeper level and you must assume that any system that is connected to the network is vulnerable. If you want a really secure machine, get a generic laptop, install Linux on it from a CD, never connect it to the network and store everything important on an encrypted memory card. However, the more secure measures you employ, the more attention your security is likely to receive, since where such measures are employed, there must be something worth looking at. Eventually, if you really do stupid shit, you will be vulnerable to the rubber hose method of cryptanalysis, which works every time. If you don’t believe me, ask the guys in Guantanamo.